I have been reviewing security books for over twenty years now.  When I think of how few are really worthwhile that gets depressing.

However, Ross Anderson is always worth reading.  And when Ross Anderson first published “Security Engineering” I was delighted to be able to tell everyone that it was a worthwhile read.  If you are, in any way, interested in, or working in, the field of security, there is something there for you.  Probably an awful lot.

When Ross Anderson made the first edition available online, for free, and then published the second edition, I was delighted to be able to tell everyone that they should buy the second edition, but, if they didn’t trust me, they should read the first edition free, and then buy the second edition because it was even better.

Now Ross has made the second edition available, online, for free.

Everyone should read it, if they haven’t already done so.

(I am eagerly awaiting the third edition 

Someone has made yet another prediction that teachers will shortly be replaced by technology.  Teacherless classrooms are, apparently, the way of the future.

I recall this prediction being made, to great fanfare, thirty years ago.  I was, at the time, a public school teacher, and at a conference on science education.  The first speaker of the day took a bit of time out from his presentation to discuss the issue, and stated that any teacher who *could* be replaced by a computer, *should* be replaced by a computer.  His point was that teaching is a profession, not the push button assembly line job that many people seem to mistake it for.  Any teacher who is so repetitive, so lacking in imagination, so single dimensional, so robotic that they can be replaced by a machine or a process, should be replaced.  A teacher should be able to handle more than “do you want a diploma with that?”

(Go ahead.  Make my day.  Ask me if this is going to be on the final.)

One way or another I have been teaching for more than forty years.  I have taught (in the public school system) every grade level from kindergarten to grade twelve.  I have taught in two-year colleges, and at the post graduate level in academia.  I have taught for business and in commercial training.

I also have a rather broad experience in “distance education.”  I have participated as both director and teacher in video and audio production of teaching materials.  I have created online tutorials for computer-based courses.  I have designed and programmed interactive computer-based training.  Over twenty-five years ago I ran the telecommujnications component of the World Logo Conference, which was the first (and possibly still only) event to fully integrate onsite with online participation.  (And which also, since Logo is a “teaching” language, involved many teachers and computer educators.)

I have mentioned that I don’t like Webinars.  That isn’t because I inherently object to the very idea.  I think a good Webinar might be an interesting experience.  But, so far, nobody has figured out that that good distance education requires more work, not less.  (In the same way, publishers of textbooks haven’t yet understood that a good textbook requires better writing, not worse.)  We figured this out at the WLC more than two decades ago.  The developers of debuggy figured it out about programmed learning more than three decades ago.

There are some, few, isolated examples of individual lessons that have been done well using video, or the Web, or programmed learning, or various other forms of technology.  But they are, still, few and isolated, and drowned out in the vast sea of mediocre and wretched attempts.  Technology has uses, and good teachers know that.  It’s great for drill and practice in some areas.  The Web is a great place for discovery and research.  Letting a kid loose on the Internet without guidance is a recipe for disaster.  We are a long way, a very, VERY long way, from the use of technology to create entirely teacherless classrooms.

Yes, we can certainly use extra training for a number, possibly a very large number, of teachers who are afraid of the technology and don’t use it well.  But don’t tell me that you can replace them with droids until you can show me that you understand what teaching is all about.

I have been using Skype ever since it came out, so I know my stuff.

I know how to write strong passwords, how to use smart security questions and how to – most importantly – avoid Phishing attempts on my Skype account.

But all that didn’t help me avoid a Skype mishap (or more bluntly as a friend said – Skype f*ckup).

It all started Saturday late at night (about 2am GMT), when I started receiving emails in Mandarin from Skype, my immediate thought was fraud, a phishing attempt, so I ignored it. But then I noticed I got also emails from Paypal with charges from Skype for 100$ 200$ 300$, and I was worried, was my account hacked?

I immediately went to PayPal and disconnected my authorization to Skype, called in Transaction Dispute on PayPal and then went on to look at my Skype account.

I looked into the recent logons to my account – nothing.

I looked into email changes, or passwords – nothing.

I couldn’t figure out how the thing got to where it was, and then I noticed, I have become a Skype Manager – wow I was promoted and I didn’t even send in my CV.

Yeah, joke aside, Skype Manager, is a service Skype gives to businesses to allow one person to buy Skype Credit and other people to use that Credit to make calls. A great idea, but the execution is poor.

The service appears to have been launched in 2012, and a few weeks after that, fraud started popping up. The how is very simple and so stupid it shameful for Skype to not have fixed this, since it was first reported (which I found) on the 21st of Jan 2012 on the Skype forum.

Apparently having this very common combinations of:
1) Auto-charge PayPal
2) Never used Skype Manager
3) Never setup a Work email for Skype

Makes it possible for someone to:
1) Setup you as a Skype Manager
2) Setup a new work email on some obscure service (mailinator was used in my case), and have all Skype emails for confirmations sent there

Yes, they don’t need to know anything BESIDE the Skype Call name of your account – which is easy to get using Skype Search.

Once you have become a Skype Manager, “you” can add users to the group you are managing – they don’t need to logon as all they need to do is use the (email) link you get to the newly assigned Work Email, yes, it doesn’t confirm the password – smart ha?

The users added to your Skype Manager can now take the Credit (its not money, it just call credits) and call anywhere they want.

Why this bug / feature not been fixed/addressed since the first time it was made public on the Skype Forum (probably was exploited before then), is anyone’s guess, talking to the Fraud department of Skype – he mainly stated that I should:
1) Change my password for Skype – yes, that would have helped nothing in this case
2) Make sure I authorize Skype only on trustworthy devices

The bottom line, Skype users, make sure:
1) You have configured your Skype Manager – if you are using Auto-Charge feature – I have disabled my Auto-Charge and PayPal authorization since then, and don’t plan on enabling it anytime (ever)
2) You have configured your Skype Work email – yes, if its unset, anyone can change it – without needing to know your current password – is this company a PCI authorized company?

If you have more insight on the matter, let me know

- Noam

I have been reading about the new Flame (aka Flamer, aka sKyWIper) “supervirus.”

[AAaaaarrrrrrggggghhhh!!!!!!!!  Sorry.  I will try and keep the screaming, in my "outside voice," to a minimum.]

From the Telegraph:

This “virus” [1] is “20 times more powerful” than any other!  [Why?  Because it has 20 times more code?  Because it is running on 20 times more computers?  (It isn't.  If you aren't a sysadmin in the Middle East you basically don't have to worry.)  Because the computers it is running on are 20 times more powerful?  This claim is pointless and ridiculous.]

[I had it right the first time.  The file that is being examined is 20 megabytes.  Sorry, I'm from the old days.  Anybody who needs 20 megs to build a piece of malware isn't a genius.  Tight code is *much* more impressive.  This is just sloppy.]

It “could only have been created by a state.”  [What have you got against those of us who live in provinces?]

“Flame can gather data files, remotely change settings on computers, turn on computer microphones to record conversations, take screen shots and copy instant messaging chats.”  [So?  We had RATs that could do that at least a decade ago.]

“… a Russian security firm that specialises in targeting malicious computer code … made the 20 megabyte virus available to other researchers yesterday claiming it did not fully understand its scope and said its code was 100 times the size of the most malicious software.”  [I rather doubt they made the claim that they didn't understand it.  It would take time to plow through 20 megs of code, so it makes sense to send it around the AV community.  But I still say these "size of code" and "most malicious" statements are useless, to say the least.]

It was “released five years ago and had infected machines in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.”  [Five years?  Good grief!  This thing is a pretty wimpy virus!  (Or self-limiting in some way.)  Even in the days of BSIs and sneakernet you could spread something around the world in half a year at most.]

“If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don’t know about.”  [Yeah.  Like "not reproducing."]

“The file, which infects Microsoft Windows computers, has five encryption algorithms,”  [Gosh!  The best we could do before was a couple of dozen!]  “exotic data storage formats”  [Like "not plain text."]  “and the ability to steal documents, spy on computer users and more.”  [Yawn.]

“Components enable those behind it, who use a network of rapidly-shifting “command and control” servers to direct the virus …”  [Gee!  You mean like a botnet or something?]

Sorry.  Yes, I do know that this is supposed to be (and probably is) state-sponsored, and purposefully written to attack specific targets and evade detection.  I get it.  It will be (marginally) interesting to see what they pull out of the code over the next few years.  It’s even kind of impressive that someone built a RAT that went undetected for that long, even though it was specifically built to hide and move slowly.

But all this “supervirus” nonsense is giving me pains.

[1] First off, everybody is calling it a “virus.”  But many reports say they don’t know how it got where it was found.  Duh!  If it’s a virus, that’s kind of the first issue, isn’t it?

Scott Kelly, platform architect at Netflix, gets to look at a lot of devices.  In depth.  He’s got some interesting things to say about smartphones.  (At CanSecWest.)

First of all, with a computer, you are the “tenant.”  You own the machine, and you can modify it any way you want.

On a smartphone, you are not the only tenant, and, in fact, you are the second tenant.  The provider is the first.  And where you may want to modify and customize it, the provider may not want you to.  They’d like to lock you in.  At the very least, they want to maintain some control because you are constantly on their network.

Now, you can root or jailbreak your phone.  Basically, that means hacking your phone.  Whether you do that or not, it does mean that your device is hackable.

(Incidentally, the system architectures for smartphones can be hugely complex.)

Sometimes you can simply replace the firmware.  Providers try to avoid doing that, sometimes looking at a secure boot system.  This is usually the same as the “trusted computing” (digital signatures that verify back to a key that is embedded in the hardware) or “trusted execution” (operation restriction) systems.  (Both types were used way back in AV days of old.)  Sometimes the providers ask manufacturers to lock the bootloader.  Attackers can get around this, sometimes letting a check succeed and then doing a swap, or attacking write protection, or messing with the verification process as it is occurring.  However, you can usually find easier implementation errors.  Sometimes providers/vendors use symmetric enryption: once a key is known, every device of that model is accessible.  You can also look at the attack surface, and with the complex architectures in smartphones the surface is enormous.

Vendors and providers are working towards trusted modules and trustzones in mobile devices.  Sometimes this is virtual, sometimes it actually involves hardware.  (Personally, I saw attempts at this in the history of malware.  Hardware tended to have inherent advantages, but every system I saw had some vulnerability somewhere.)

Patching has been a problem with mobile devices.  Again, the providers are going to be seen as responsible for ongoing operation.  Any problems are going to be seen as their fault.  Therefore, they really have to be sure that any patch they create is absolutely bulletproof.  It can’t create any problems.  So there is always going to be a long window for any exploit that is found.  And there are going to be vulnerabilities to exploit in a system this complex.  Providers and vendors are going to keep trying to lock systems.

(Again, personally, I suspect that hacks will keep on occurring, and that the locking systems will turn out to be less secure than the designers think.)

Scott is definitely a good speaker, and his slides and flow are decent.  However, most of the material he has presented is fairly generic.  CanSecWest audiences have come to expect revelations of real attacks.

OK, having now had this conversation twice, I’ve gone back to the true source of all wisdom on all things viral, “Viruses Revealed.”  I got it off my shelf, of course, but some helpful vxer (who probably thought he was going to harm our sales) posted it on the net, and saved David and I the bother.  (Remember, this guy is a vxer, so that page may not be entirely safe.)

Michelangelo is covered between pages 357 and 361, which is slightly over halfway through the book.  However, since I guess he’s missed out the index and stuff, it turns out to be at about the 3/4 mark on the page he’s created.

Anyway, Michelangelo checks the date via Interrupt 1Ah.  many people did not understand the difference between the MS-DOS clock and the system clock read by Interrupt 1Ah. The MS-DOS DATE command did not always alter the system clock. Network-connected machines often have “time server” functions so that the date is reset to conform to the network. The year 1992 was a leap year, and many clocks did not deal with it properly. Thus, for many computers, 6th March came on Thursday, not Friday.

Graham Cluley, of Sophos and Naked Security, posted some reminiscences of the Michelangelo virus.  It brought back some memories and he’s told the story well.

I hate to argue with Graham, but, first off, I have to note that the twentieth anniversary of Micelangelo is not tomorrow (March 6, 2012), but today, March 5.  That’s because 1992 was, as this year is, a leap year.  Yes, Michelangelo was timed to go off on March 6th every year, but, due to a shortcut in the code (and bugs in normal comptuer software), it neglected to factor in leap years.  Therefore, in 1992 many copies went off a day early, on March 5th.

March 5th, 1992, was a rather busy day for me.  I was attending a seminar, but kept getting called out to answer media enquiries.

And then there was the fact that, after all that work and information submitted to the media in advance, and creating copies of Michelangelo on a 3 1/2″ disk (it would normally only infect 5 1/4″s) so I could test it on a safe machine (and then having to recreate the disk when I accidentally triggered the virus), it wasn’t me who got my picture in the paper.  No, it was my baby brother, who a) didn’t believe in the virus, but b) finally, at literally the eleventh hour (11 pm on March 4th) decided to scan his own computer (with a scanner I had given to him), and, when he found he was infected, raised the alarm with his church, and scanned their computers as well.  (Must have been pretty close to midnight, and zero hour, by that time.)  That’s a nice human interest story so he got his picture in the paper.  (Not that I’m bitter, mind you.)

I don’t quite agree with Graham as to the infection rates.  I do know that, since this was the first time we (as the nascent antivirus community) managed to get the attention of the media in advance, there were a great many significant infections that were cleaned off in time, before the trigger date.  I recall notices of thousands of machines cleaned off in various institutions.  But, in a sense, we were victims of our own success.  Having got the word out in advance, by the trigger date most of the infections had been cleaned up.  So, yes, the media saw it as hype on our part.  And then there was the fact that a lot of people had no idea when they got hit.  I was told, by several people, “no, we didn’t get Michelangelo.  But, you know, it’s strange: our computer had a disk failure on that date …”  That was how Michelangelo appeared, when it triggered.

I note that one of the comments wished that we could find out who created the virus.  There is strong evidence that it was created in Taiwan.  And, in response to a posting that I did at the time, I received a message from someone, from Taiwan, who complained that it shouldn’t be called “Michelangelo,” since the real name was “Stoned 3.”  I’ve always felt that only the person who wrote that variant would have been that upset about the naming …

The Girls, who have been having a grand time in recent years finding interesting high tech goodies that I never even knew existed, got me a Kindle for Christmas.  So, of course, I’m going to review the Kindle.

I had been putting off the idea of getting one for myself.  I do a lot of reading, but that’s primarily because I do a lot of reviewing, and for that you need the ability to make notes, and transfer said notes back to the computer for writing up.  So far, I haven’t seen an awful lot that convinces me the e-readers are there yet.

But, I do have to say that, right off the top, the idea of having 60 books (so far) in something that is lighter than a paperback definitely has its attractions.  So far I’ve been able to load the Bible, some tech articles, my own security dictionary, a dozen Sherlock Holmes stories, Don Quixote (both of which I have read), The Divine Comedy, War and Piece (both of which I intend to read–sometime), a fair amount of poetry, and an egalley for Bruce Schneier’s latest (sent along by his publicist).

Unfortunately, all this fun exploring has me somewhat behind in news and email, so I’ll have to start putting together my observations of the Kindle, itself, a bit later.

The Scientific American, no less, has published an article on malware.  Not that they don’t have every right, it’s just that the article is short on fact or help, and long on rather wild conjecture.

The author does have some points to make, even if he makes them very, very badly.

We, both as security professionals and as a society, don’t take malware seriously enough.  The security literature on the subject is appalling.  It is hard to find books on malware, even harder to find good ones, and well nigh impossible to find decent information in general security books.  The problem has been steadily growing since it was a vague academic topic, and has been ignored for so long that, now that it is a real problem, even most security experts have only a tenuous grasp of it.

Almost all reports do sound like paranoid thrillers.  Promoting the idea of shadowy genius figures in dark corners manipulating us at will, this engenders a kind of overall depression: we can’t possibly fight it, so we might was well not even try.  This attitude is further exacerbated but the dearth of information: we can’t even know what’s going on, so how can we even try to fight it?

It is getting more and more difficult to find malware, mostly because we are constantly creating new places for it to hide.  In the name of “user friendliness,” we are building ever more complex systems, with ever more crevices for the pumas to hide in.

Yes, then he goes off into wild speculation and gets all “Reflections on Trusting Trust” on us.  Which kind of loses the valid points.

A recent Twitter post by Team Cymru pointed at a (very brief) debate about the value of security awareness training.  It’s an issue that has concerned me for a long time.

I got interested in security starting with research into viruses and malware.  Early on, I did a lot of work reviewing the various available products.  In the responses I got to my efforts, one point was abundantly clear: everyone, almost without exception, was looking for the “perfect” antivirus.  Even though Fred Cohen had proven that such an animal could not possibly exist, everybody wanted something they could “set and forget.”

Notice two things.  The first is that perfect security doesn’t exist.  As (ISC)²‘s marketing phrase has it, security transcends technology.  The second point is that people aren’t particularly keen on learning about security.  They fight against it.  They have to be motivated into it.  And that motivation tends to be individual and personal.

Which means security awareness training is hard, and individual, and therefore expensive.  Expensive means that companies are loath to try it, in any significant way.  Hundreds of thousands or millions of dollars can be spent on a raft of security technologies, but security awareness programs can only get a budget of a few thousand a year.  Which means they can’t be individual, which means they won’t work very well, which means companies aren’t willing to try them.

The default position people take is to resist security awareness.  They don’t want to know extraneous stuff.  They just want to get on with their jobs.  So, even if you were to produce a really good security awareness program, there would undoubtedly still be some who would resist to the end, and not learn.  They wouldn’t benefit from the program, and they would still make mistakes.  So security awareness training won’t be perfect, either.  Sorry about that.

However, I’ve noticed something over the years.  I get asked, by all my friends and acquaintances, for advice about virus protection, and home computer protection.  Some learn the ins and outs, the dangerous activities, the marks of a phishing email message.  They never ask me to clean their machines.  Some just ask about the “best” antiviral software.  Usually after they’ve asked me to clean off a computer.  I identify what they’ve got, and tell them how they got it.  You shouldn’t [do music sharing|do instant messaging|go to all those weird Websites|open attachments you receive] I tell them.  They always have reasons why they must do those things.  (Not very good reasons, mind you, just reasons.)

You know that old medical joke about “Doctor, it hurts when I do this” “Well, do do that”?  It’s not funny.

People ask me what antivirus program I use at home.  Very often I don’t use one, unless I’m testing something.  (At the moment I’m testing two, and I’m about ready to take both of them off, since both of them can be real nuisances at times.)  There are long periods where I run without any “protection.”  I know what not to do.  My wife knows what not to do.  (After all, she read my first book seven times over, while she was editing it.)  We don’t get infected.  Not even by “zero days” or “advanced persistent threats.”

Security technology isn’t perfect.  Security awareness training isn’t perfect.  However, at present, and for as long as I can remember, the emphasis has been on security technology.  We need to give awareness more of a try.

Is security awareness “worth it”?  Is security awareness “cost effective”?  Well, we’ve been spending quite a lot on security technologies (sometimes just piecemeal, unmanaged security technologies), and we haven’t got good security.  Three arguments in favour of at least trying security awareness spending:

1)  When you’ve got two areas of benefit, and you are reaching the limits of “diminishing returns” in one area, the place to put your further money is on the one you haven’t stressed.

2)  Security awareness is mostly about risk management.  Business management is mostly about risk management.  Security awareness can give you advantages in more than just security.

3)  Remember that the definition of insanity is trying the same thing over and over again, and expecting a different result.

The other night Gloria asked me what to do about securing the computer if I die first.  (Yes, we talk about those type of things.)  I really didn’t know what to tell her.  And told her that.

A decade ago, I would have had a list of things to do.  Actually, she knows that list: although she always considers herself ignorant about computers, she’s actually more savvy than most (and a lot more savvy than she gives herself credit for).  But these days I hardly know where to start.  You have to qualify every piece of advice you give, and you have to constantly keep up on the latest attacks and threats.  General classes don’t cut it any more.

This isn’t because the attackers are getting any more imaginative.  In general, they aren’t.  Recently a lot of companies (some, like RSA and Sony, very high profile) have been screaming about getting hit by APT (Advanced Persistent Threat) attacks.  What is APT?  Simply social engineering and malware.  Well, since malware has almost always had a social engineering component, I suppose it’s really only malware.  We’ve had malware for thirty years.  So what’s new?  Nothing.  The companies were sloppy.

What is happening is that all of information and communications technology is getting more and more complex.  Programs are tied into the operating system.  Nothing is clear cut.  The actual workings of the system are hidden from the user.  Hardware is virtual.  Networks are cloudy.  Gene Spafford mentioned this in a recent interview.  Since it was an interview, he really didn’t get a chance to expand on this point: the interviewer was more interested in trying to nail down who to blame for the situation.  Who is to blame?  Well, the vendors are creating sloppy systems: forfeiting security in the name of bells and whistles.  But that, of course, is because only a vanishingly small segment of the population is actually interested in security: everyone wants dancing pigs.

I’ve written before about complexity and security.  (And network complexity.)  But every day brings new examples.  Today, for example, Adobe has finally brought out an easier way to delete or manage Flash cookies.  Flash cookies are a particularly pernicious and tenacious form of cookie.  Those of you who think you are “up” on security may have set your browser to delete cookies.  Good.  Unfortunately, it doesn’t do a thing for Flash cookies.  So, Adobe has finally given us control over Flash cookies.  In version 10.3.  What version of Flash do you have?  Do you even know?  How would you find out?  It took me quite a while, and I know what I’m doing.  And, in spite of the fact that I’ve had numerous (annoying) Adobe updates recently, I don’t have 10.3.

I’m supposed to be a specialist not only in security, but in security awareness.  And the job is just getting overwhelming.

It’s really depressing.

What with twenty years experience in reviewing AV software, I figured I’d better try it out.

It’s not altogether terrible.  The fact that it’s free, and from Microsoft (and therefore promoted), might reduce the total level of infections, and that would be a good thing.

But even for free software, and from Microsoft, it’s pretty weird.

When I installed it, I did a “quick” scan.

That ran for over an hour on a machine with a drive that’s got about 70 Gb of material on it, mostly not programs.  At that point I hadn’t found out that you can exclude directories (more on that later), so it found my zoo.  It deleted nine copies of Sircam.

Lemme tell ya ’bout my zoo.  It’s got over 1500 files in it.  There are a lot of duplicate files (hence the nine copies of Sircam), and there are files in there that are not malware.  There are files which have had the executable file extensions changed.  But there are a great number of common, executable, dangerous pieces of malware in there, and the only thing MSE found was nine copies of Sircam.

(Which it deleted.  Without asking.  Personally, for me, that’s annoying.  It means I have to repopulate my zoo from backups.  But for most users, that’s probably a good thing.)

Now, when I went to repopulate my zoo, I, of course, opened the zoo directory with Windows Explorer.  And all kinds of bells and whistles went off.  As soon as I “looked” at the directory, the real-time component of MSE found more than the quick scan did.  That probably means the real-time scanner is fairly decent.  (In my situation it’s annoying, so I turned it off.  MSE is now annoyed at me, and continues to be annoyed, with big red flags on my task bar.)
MSE has four alert levels to categorize what it finds, and you have some options for setting the default actions.  The alert levels are severe (options: “Recommended action,” “Remove,” and “Quarantine”), high (options: “Recommended action,” “Remove,” and “Quarantine”), medium (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”), and low (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”).  Initially, everything is set at “Recommended action.”  I turned everything down to the lowest possible settings: I want information, not strip mining.  However, for most people it would seem to be reasonable to keep it at the default action, which seems to be removal for everything.
I don’t know where it puts the quarantined stuff.  It does have a directory at C:\Documents and Settings\All Users\Application Data\Microsoft Security Essentials, but no quarantined material appears to be there.

(I did try to find out more.  It does have help functions.  If you click on the “Help” button, it sends you to this site.  However, if you click on the link to explain the actions and alert levels, it sends you to this site.  If you examine those two URLs, they are different.  If you click on them, you go to the same place.  At that location, you can get some pages that offer you marketing bumpf, or watch a few videos.  There isn’t much help.)
You can exclude specific files and locations.  Personally, I find that extremely useful, and the only reason that I’d continue using MSE.  It does seem to work: I excluded my zoo before I did a full scan, and none of my zoo disappeared when I did the full scan.  However, for most users, the simple existence of that option could signal a loophole.  If I was a blackhat, first thing I’d do is find out how to exclude myself from the scanner.  (There is also an option to exclude certain file types.)

So I did a full scan.  That took over eight hours.  I don’t know exactly how long it took, I finally had to give up and leave it running.  MSE doesn’t report how long it took to do a scan, it only reports what it found.  (I suspect the total run was around ten or eleven hours.  MSE reports that a full scan can take up to an hour.)

While MSE is running it really bogs down the machine.  According to task manager it doesn’t take up much in the way of machine cycles, but the computer sure isn’t responsive while it’s on.
When I came back and found it had finished, the first thing it wanted me to do was send a bunch of suspect files to Microsoft.  The files were all from my email.  On the plus side, the files were all messages that reported suspect malware or Websites, so it’s possible that we could say MSE is doing a good job in scanning files and examining archives.  (On the other hand, every single message was from Sunbelt Software.  This could be coincidence, but it is also a fact that Sunbelt makes competing AV software, and was formerly associated with a company that Microsoft bought in its race to produce AV and anti-spyware components.)

Then I started to go through what Microsoft said it found, in order to determine what I had lost.

The first item on the list was rated severe.  Apparently I had failed to notice six copies of the EICAR test file on my machine.

Excuse me?  The EICAR test file?  A severe threat?  Microsoft, you have got to be kidding.  And the joke is not funny.

The EICAR test file is a test file.  If anyone doesn’t know what it is, read about it at EICAR, or at Wikipedia if you don’t trust EICAR.  It’s harmless.  Yes, a compatible scanner will report it, but only to show that your scanner is, in fact, working.

It shouldn’t delete or quarantine all copies it finds on the machine.

MSE also said it quarantined fifteen messages from my email for having JavaScript shell code.  Unfortunately, it didn’t say what they were, and I wasn’t sure I could get them back.  I don’t know why they were deleted, or what the trigger was.  MSE isn’t too big on reporting details.  I don’t know whether these messages were simply ones that contained some piece of generic JavaScript, and got boosted up to “severe” level.  Given the EICAR test file experience, I’m not inclined to give Microsoft the benefit of the doubt.

After some considerable work, I did find them.  They seemed to be the “suspect” messages that Microsoft wanted.  And when I tried to recover them, I found that MSE had not quarantined them: they were left in place.  So, at the very least, at times MSE lies to you.

(I guess I’d better add my email directory to places for MSE not to scan.)
MSE quarantined some old DOS utilities.  It quarantined a bunch of old virus simulators (the ones that show you screen displays, not actual infectors).  (Called them weird names, too.)

MSE quarantined Gibson Research‘s DCOMbob.exe.  This is a tool for making sure that DCOM is disabled on your machine.  Since DCOM was the vector for the Blaster worm (among others), and is really hard to turn off under XP, I find this rather dangerous.

OK, final word is that I can use it.  I’ll want to protect certain areas before I do, but that shouldn’t be too much of a concern for most users.

You might want to make sure Microsoft isn’t reading your email …

0x01 Introduction
0x02 Phrack Prophile on The PaX Team
0x03 Phrack World News
0x04 Abusing the Objective C runtime
0x05 Backdooring Juniper Firewalls
0x06 Exploiting DLmalloc frees in 2009
0x07 Persistent BIOS infection
0x08 Exploiting UMA : FreeBSD kernel heap exploits
0x09 Exploiting TCP Persist Timer Infiniteness
0x0A Malloc Des-Maleficarum
0x0B A Real SMM Rootkit
0x0C Alphanumeric RISC ARM Shellcode
0x0D Power cell buffer overflow
0x0E Binary Mangling with Radare
0x0F Linux Kernel Heap Tempering Detection
0x10 Developing MacOSX Rootkits
0x11 How close are they of hacking your brain ?

You can check it out here.

Now we have something to keep us busy while the net neutrality debates are going on…

Did you vote in the last election? If not, you should have. If so, did it really count? I mean, literally, besides the aspect of consideration, did your ballot reach the total counter?

Many people who are part of a democracy and have this magical ‘right to vote’ (There is no amendment or part of the US constitution that directly states that Americans have the right to vote; only that you cannot be discriminated against via race or sex, and you must be at least 18 years of age. Look it up and you’ll see that it is only indirectly implied) probably question where their votes really go each and every time they leave the polls.

Furthermore, the most important question should be this: If election fraud is part of our elections, and we all know at least some part of it is, how can we prevent it? The simple answer is, we can’t. Electronic voting machines are a joke. Really, the security on these machines are inferior to the most common lock and key at the dollar store. Security on these ‘secure’ election devices is comparable a Windows 98 (SE!) box running ZoneAlarm (pro!).

Wouldn’t it be nice and convenient to be able to vote via the Internet, without ever having to leave your home? Sure it would be. Safe though? Not in this century. If you have Netflix or any other movie service, you should add this to your queue: Hacking Democracy. Watch it, learn it, believe it. Do not hesitate at all to think its real. ITS BEEN PROVEN! Not a believer? Just wait around our next big election — we’ll see who wins.

New week a new question, in this case the question is a bit more generic and I believe raises a few dilemmas, feel free to take a shot at it:

Hi Experts,

Is it secure to just configure Cisco IPSEC/GRE site to site tunnel without firewall/IPS/IDS. The argument here is although it is internet facing, there is only a host to host routing between the routers and the default route goes to the tunnel. Am I right to say that it is technically secure since the router only route traffic between the designated routers?

Thanks in advance.

Regards,
J. O.

Another one for you this week, we especially liked XenoMuta’s answer to our previous one.
Lets go:

Dear SecuriTeam,

i am not sure if you are able to help us to find a solution for a special problem but i’ve tried everything and spent a lot of time in the internet without any achievement.

we want to export the content of multiple exchange servers from our branch offices into personal folders (.pst files) and import these informations into our exchange mail system. the main problem why we are not yet able to do this is that we want to scan the content for viruses, worms (if possible with multiple virus scanners) and for unwanted content like videos, music, executables and so on and this in a way that a real content scan would be done instead of just checking against the file extension. also all attached archives (zip, rar etc.) should be opened (if possible) and scanned for its content. if an attachment is found which cannot be scanned because of password protection or encryption or whatever reason this attachment or the complete mail should be deleted or moved to a quarantine area.

Thank your very much for your support

Best regards
J. B.
Germany